| Sometimes, you might not be able to figure out what is causing tunnel problems. A client might not be able to create an IPSec tunnel even though the configuration parameters appear to be good. Some excellent commands to troubleshoot IKE and IPSec are the following commands: | | If you issue debug crypto isakmp and see any text within the debug out that states 'SA is not authenticated' , that means IKE Phase 1 authentication failed. What happened was the local IPSec router tried to authenticate the remote IPSec router, and the local router was not able to authenticate the remote IPSec router. | | | If you issue debug crypto isakmp and see any text within the debug out that states 'attribute not offered ' , that means the IPSec peers failed to agree upon a matching IKE policy. Remember, when configuring an IKE Phase 1 policy, at least one policy must match (exactly) on both the local IPSec router and the remote IPSec router. | |